b'           Smithsonian Institution\n           Office of the Inspector General\n                                                  Information Security Practices\n           In Brief                               Report Number A-07-08, March 31, 2008\n\n\n\nWhy We Did This Evaluation            What We Found\nThe Federal Information Security      While progress has been made in complying with information security\nManagement Act of 2002                requirements, additional work remains to ensure adequate controls are in place\n(FISMA) directs the Office of the     and operating effectively. Specifically, we found that:\nInspector General to annually\nevaluate the information security     \xe2\x80\xa2 The Institution\xe2\x80\x99s certification and accreditation process did not identify all\nprogram of the Institution. The         major and minor systems in accordance with National Institute of Standards\nInstitution voluntarily complies        and Technology and FISMA requirements. Specifically, while management has\nwith FISMA requirements                 certified and accredited portions of the Security Management System, it did\nbecause it is consistent with its       not include other associated sub-systems and components. In addition,\nstrategic goals. During this year\xe2\x80\x99s     management did not include or address other Institution information systems\nreview, we assessed (1) the             in any of the Institution\xe2\x80\x99s system security plans.\neffectiveness of the Institution\xe2\x80\x99s\nsecurity program, (2) the             \xe2\x80\xa2 The Office of the Chief Information Officer (OCIO) did not centrally track,\nInstitution\xe2\x80\x99s compliance with           review, and consolidate system plan of action and milestones (POA&M)\nFISMA guidelines, (3) the security      activities into the Institution-wide POA&M on a quarterly basis in accordance\nof the Human Resources                  with Institution policy. While OCIO did report an Institution-wide POA&M\nManagement System and ID and            to OMB on a quarterly basis, the submission did not include or consolidate all\nBadging, C-Cure Central, and            system POA&M items. Moreover, program officials did not consistently report\nCentral Monitoring Systems, and         the status of findings and recommendations reported in system POA&Ms to\n(4) progress made in correcting         the CIO on a regular basis.\npreviously reported information\nsecurity weaknesses.                  \xe2\x80\xa2 Management did not ensure results of annual security control testing were\n                                        adequately documented and weaknesses were included in related POA&Ms for\nWhat We Recommended                     tracking and correction. Specifically, OCIO has not developed and\n                                        documented a policy or procedures specifying how management should\nWe made four recommendations\n                                        determine what controls to test and what minimum documentation should be\nto ensure that controls over major\n                                        produced to support testing. A lack of adequate documentation to support the\nand minor systems are identified,\n                                        results of annual testing diminishes management\xe2\x80\x99s assurance that controls were\ndocumented, and implemented;\n                                        adequately tested and that conclusions based on test results were appropriate.\nsystem sponsors report their\n                                        In addition, a lack of appropriate documentation of test results increases the\nprogress on remediating security\n                                        risk that identified weaknesses will not be included in the system POA&M for\nweaknesses and that system\n                                        tracking corrective actions.\nspecific POA&M activities are\nconsolidated in the agency-wide\n                                      We again note that the Institution\xe2\x80\x99s decentralized IT environment makes the\nPOA&M; and policies and\n                                      implementation and enforcement of policies and procedures limited or\nprocedures for conducting annual\n                                      inconsistent. Without the centralization of IT operations and the assignment of\nsecurity control testing are\n                                      responsibility within OCIO for ensuring Institution policy and procedures are\ndeveloped, documented, and\n                                      being followed, management cannot ensure adequate controls are in place.\nimplemented.\n\nManagement concurred with the\nreport\xe2\x80\x99s findings and\nrecommendations and has                For additional information or a copy of the full report, contact the Office of\nplanned actions that will resolve      the Inspector General at (202) 633-7050 or visit http://www.si.edu/oig.\nall our recommendations.\n\x0c'